LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 106.16 Annual Compliance Program Office Risk Assessment
 
  PROCEDURES
  1. The Compliance Program Office (CPO) and Compliance Program Steering Committee (CPSC) will develop a DMH Risk Assessment Checklist. The checklist will include risk areas, risk impacts, vulnerability and risk prioritization.
     
    1. Annually, CPO, CPSC, and Department managers will identify risk areas to be included in the checklist.
       
    2. CPO and CPSC will develop scoring methodology/definitions.
       
      1. Each element will be scored on a 1-5 scale. 
         
      2. Risk assessment scoring definitions, or thresholds, will be developed for use by those rating risk areas on the checklist. Scores of 1 to 5 are to be assigned based on the definitions, knowledge, and intuitiveness.
         
        1. Calculation of impact score: The scores (1 to 5) in each area will be added together to arrive at the risk impact, i.e., Mission Risk + Financial Risk + Legal Risk = Impact.
        2. Calculation of vulnerability score: The risk impact score will be multiplied by the likelihood and detectability score to arrive at the vulnerability score, i.e., Impact Score x Likelihood x Detectability = Vulnerability Score.
        3. Risk Prioritization Score: Control score less vulnerability score multiplied by a designated percentage. The percentage is a weighting factor. See DMH Risk Assessment Checklist upper left corner for percentages. No Controls – Vulnerability x 100% Limited Controls – Vulnerability x 75% Some Formal Controls – Vulnerability x 50% Adequate Controls – Vulnerability x 25% Complete Controls – Vulnerability x 0.
           
  2. CPSC will designate the leadership and/or level of management that will complete the assessment checklist. Completed checklists will be submitted to the CPO.
     
  3. The CPO will compile a composite score.
     
  4. Using the composite score, CPO will conduct a controls assessment. This includes: 
     
    1. Assessing existing methods for determining compliance with County internal control requirements; Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Certification Questionnaires that assess compliance with Federal HIPAA requirements; and Compliance Program Questionnaire to assess the seven (7) elements of a highly effective compliance program.
       
    2. Reviewing audit findings.
       
    3. Interviews.
       
    4. Other appropriate auditing and monitoring techniques.
       
  5. Establishing priorities:
     
    1. Evaluating the information obtained in the control assessment and the composite score prioritize the risk areas. The result is a list of the risk areas, highest to lowest.
       
  6. Present results of risk assessment to CPSC for discussion and concurrence with results.
     
  7. Develop CPO annual work plan.